如何使用 GetUmsSystemThreadInformation 枚举 UMS 调度程序线程?
问题描述 投票:0回答:1
我正在尝试使用 GetUmsSystemThreadInformation 枚举 UMS 调度程序线程,但我无法使其按预期方式工作。
这是我到目前为止的代码:
#include <windows.h>
#include <tlhelp32.h>
#include <iostream>
#include "UMSEnum.h"
void EnumerateThreads(DWORD tid) {
// Create a snapshot of all processes
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) {
std::cerr << "[-] Error creating snapshot: " << GetLastError() << std::endl;
return;
}
// Initialize the THREADENTRY32 structure
THREADENTRY32 threadEntry;
threadEntry.dwSize = sizeof(THREADENTRY32);
// Retrieve information about the first thread
if (Thread32First(hSnapshot, &threadEntry)) {
do {
// Display information about each thread
// std::cout << "[.] Thread ID: " << threadEntry.th32ThreadID << std::endl;
// Get the thread handle using the thread ID
if (threadEntry.th32ThreadID != tid && tid != 0)
continue;
HANDLE hThread = OpenThread(THREAD_QUERY_INFORMATION, FALSE, threadEntry.th32ThreadID);
if (hThread != NULL) {
UMS_SYSTEM_THREAD_INFORMATION tInfo;
tInfo.UmsVersion = UMS_VERSION;
tInfo.IsUmsSchedulerThread = 1;
tInfo.IsUmsWorkerThread = 0;
// Perform actions on the thread handle if needed
BOOL found = GetUmsSystemThreadInformation(hThread, &tInfo);
if ( found && GetLastError() != ERROR_NOT_SUPPORTED) {
std::cout << "[.] "
<< threadEntry.th32OwnerProcessID
<< "[" << threadEntry.th32ThreadID << "]"
<< "[" << tInfo.IsUmsSchedulerThread << "]"
<< "[" << tInfo.IsUmsWorkerThread << "]"
<< "[" << tInfo.ThreadUmsFlags << "]"
<< std::endl;
}
else {
std::cout << "[-] GetUmsSystemThreadInformation failed - " << threadEntry.th32ThreadID << " - " << GetLastError() << std::endl;
}
// Close the thread handle
CloseHandle(hThread);
}
//else {
// std::cerr << "Error opening thread: " << GetLastError() << std::endl;
//}
} while (Thread32Next(hSnapshot, &threadEntry));
}
else {
std::cerr << "[-] Error getting thread information: " << GetLastError() << std::endl;
}
// Close the thread snapshot handle
CloseHandle(hSnapshot);
}
int main(int argc, char** argv) {
EnumerateThreads(atol(argv[1]));
return 0;
}
至少对我来说,这似乎是正确的,但是这段代码将列出系统中的每个线程 ID,而不仅仅是 UMS 调度程序的 ID。此外,GetUmsSystemThreadInformation 始终返回 true。
以下是我用来创建 UMS Scheduler 线程的测试应用程序。
#include <iostream>
#include <Windows.h>
PUMS_COMPLETION_LIST g_CompletionList;
RTL_UMS_SCHEDULER_ENTRY_POINT RtlUmsSchedulerEntryPoint;
void RtlUmsSchedulerEntryPoint(
RTL_UMS_SCHEDULER_REASON Reason,
ULONG_PTR ActivationPayload,
PVOID SchedulerParam
)
{
std::cout << "[+] It works - " << GetCurrentThreadId() << std::endl;
switch (Reason)
{
case UmsSchedulerStartup:
std::cout << "[+] UmsSchedulerStartup" << std::endl;
break;
case UmsSchedulerThreadBlocked:
std::cout << "[+] UmsSchedulerThreadBlocked" << std::endl;
break;
case UmsSchedulerThreadYield:
std::cout << "[+] UmsSchedulerThreadYield" << std::endl;
break;
default:
break;
}
}
DWORD WINAPI SchedulerThreadProc(LPVOID lpThreadParameter)
{
UMS_SCHEDULER_STARTUP_INFO umsStartupInfo;
umsStartupInfo.UmsVersion = UMS_VERSION;
umsStartupInfo.SchedulerParam = nullptr;
umsStartupInfo.SchedulerProc = RtlUmsSchedulerEntryPoint;
umsStartupInfo.CompletionList = g_CompletionList;
if (!EnterUmsSchedulingMode(&umsStartupInfo))
{
std::cerr << "[-] EnterUmsSchedulingMode failed - " << GetLastError() << std::endl;
return false;
}
Sleep(INFINITE);
return true;
}
int main()
{
UMS_SCHEDULER_STARTUP_INFO startupInfo;
if (!CreateUmsCompletionList(&g_CompletionList)) {
std::cerr << "[-] CreateUmsCompletionList failed - " << GetLastError() << std::endl;
}
HANDLE hThread = CreateThread(NULL, 0, SchedulerThreadProc, NULL, NULL, NULL);
if (hThread == NULL) {
std::cerr << "[-] CreateThread failed - " << GetLastError() << std::endl;
return 1;
}
int foo;
std::cin >> foo;
return 0;
}
这是运行两者的示例:
我想我不知道如何正确设置SystemThreadInfo。
如有任何帮助,我们将不胜感激。
1个回答
0
投票
投票
Warning As of Windows 11, user-mode scheduling is not supported. All calls fail with the error ERROR_NOT_SUPPORTED.
来自当前的 msdn 文档:
[输入,输出] 系统线程信息
指向已初始化
结构的指针 指定查询的线程类型。UMS_SYSTEM_THREAD_INFORMATION
和
如果指定线程与线程类型匹配,则返回
由 SystemThreadInfo 参数指定。否则,函数 返回TRUE。FALSE
然而这是非常奇怪且不合逻辑的 api 设计。同样在这种情况下,SystemThreadInfo将只是in参数,但为什么它在api声明中标记为
_Inout_否则,该函数将返回
FALSEGetLastError()接下来是逻辑和本机设计 - IsUmsSchedulerThread 和 IsUmsWorkerThread 必须是 out 参数。如果
hThreadTHREAD_QUERY_INFORMATION让我们寻找
GetUmsSystemThreadInformationBOOL
WINAPI
GetUmsSystemThreadInformation(
_In_ HANDLE ThreadHandle,
_Inout_ PUMS_SYSTEM_THREAD_INFORMATION SystemThreadInfo
)
{
if (UMS_VERSION != SystemThreadInfo->UmsVersion) return STATUS_INVALID_PARAMETER;
THREAD_UMS_INFORMATION tui = { UmsInformationCommandQuery };
ULONG rcb;
NTSTATUS status = NtQueryInformationThread(hThread, ThreadUmsInformation, &tui, sizeof(tui), &rcb);
if (0 > status)
{
RtlSetLastWin32Error(RtlNtStatusToDosError(status));
return FALSE;
}
SystemThreadInfo->ThreadUmsFlags = tui.Flags;
return TRUE;
}
从中可以清楚地看到,
IsUmsSchedulerThreadIsUmsWorkerThread因此接下来必须是检查线程的正确代码:
void CheckUmsThread(HANDLE hThread, ULONG pid, ULONG tid)
{
UMS_SYSTEM_THREAD_INFORMATION SystemThreadInfo { UMS_VERSION };
if (GetUmsSystemThreadInformation(hThread, &SystemThreadInfo))
{
if (SystemThreadInfo.ThreadUmsFlags && SystemThreadInfo.ThreadUmsFlags)
{
__debugbreak();
}
PCSTR pcsz = 0;
if (SystemThreadInfo.IsUmsSchedulerThread)
{
pcsz = "Scheduler";
}
else if (SystemThreadInfo.IsUmsWorkerThread)
{
pcsz = "Worker";
}
if (pcsz)
{
DbgPrint("%x.%x: Ums%sThread\n", pid, tid, pcsz);
}
}
else
{
GetLastError();
RtlGetLastNtStatus();
}
}
完整代码可以在下一个:
NTSTATUS status;
ULONG cb = 0x10000;
do
{
status = STATUS_NO_MEMORY;
if (PVOID buf = LocalAlloc(LMEM_FIXED, cb += 0x1000))
{
if (0 <= (status = NtQuerySystemInformation(SystemProcessInformation, buf, cb, &cb)))
{
union {
ULONG_PTR up;
SYSTEM_PROCESS_INFORMATION* pspi;
PVOID pv;
};
pv = buf;
ULONG NextEntryOffset = 0;
OBJECT_ATTRIBUTES oa = { sizeof(oa) };
do
{
up += NextEntryOffset;
if (ULONG NumberOfThreads = pspi->NumberOfThreads)
{
SYSTEM_THREAD_INFORMATION* Thread = (SYSTEM_THREAD_INFORMATION*)pspi->Threads;
do
{
HANDLE hThread;
if (0 <= NtOpenThread(&hThread, THREAD_QUERY_INFORMATION, &oa, &Thread->ClientId))
{
CheckUmsThread(hThread,
(ULONG)(ULONG_PTR)Thread->ClientId.UniqueProcess,
(ULONG)(ULONG_PTR)Thread->ClientId.UniqueThread);
NtClose(hThread);
}
} while (Thread++, --NumberOfThreads);
}
} while (NextEntryOffset = pspi->NextEntryOffset);
}
LocalFree(buf);
}
} while (STATUS_INFO_LENGTH_MISMATCH == status);
最新问题
- Plotly:如何制作具有多条迹线的子图
- 奇怪的仿制药问题
- 读取文件时跳过数据
- 在 iOS 上存储身份验证令牌 - NSUserDefaults 与 Keychain?
- Hotspot JVM 中方法未编译的原因
- 在 Xcode 中保护 API 密钥的最佳/最简单方法是什么? [重复]
- iOS应用程序可以通过API调用分发吗
- Vite 模块加载器缺少文件扩展名
- 如何从字符串 URL 中删除“+”[重复]
- 针对其值和数据类型设置 Excel 单元格的格式 [已关闭]
- 在 IE8 和 IE9 中字体显得更大
- 哥德巴赫猜想(java)
- 如何使用“npm install”调试“无效标签名称”错误
- 将值从页面表单传递到 Shopify Liquid 中的 javascript
- 如何将 Salesforce 与 pyspark 连接?
- 测试模板客户端中是否已定义 ui:insert
- 如何在openssl中将纯文本公钥转换为der
- char** 和 valgrind 条件跳转错误
- 这段代码中的 jQuery focus() 方法在做什么?
- Jetpack Compose:BottomBar 中的透明“淡入淡出”渐变
© www.soinside.com 2019 - 2024. All rights reserved.